With the increasing use of computers in modern society, computer systems and networks have become increasingly subject to cyber-attacks intended to disrupt the systems, steal data, cause application defacement, manipulate behavior, or a combination of these. Accordingly, the field of cyber security has developed to combat such cyber-attacks.
Among others, such attacks currently include denial of service (DoS) and distributed DoS (DDOS) attacks, authorization attacks, worm propagation, network scanning, application scanning, and the like. For example, DoS and DDOS attacks dispatch large numbers of network packets or application requests to overload network resources, resulting in denial of services to legitimate users. As a further example, one type of a DoS attack is a UDP flood attack, where the attacker attempts to saturate a random port of a host in a protected network with UDP packets.
Existing cyber security solutions attempt to detect cyber-attacks using behavioral analysis. To this end, a baseline demonstrating normal behavior of a protected entity is determined, and any detected substantial deviation from the baseline indicates a potential attack. For example, an average UDP packets per second (PPS) received at a port of a protected entity can be determined as the baseline. Traffic with a UDP PPS significantly higher than the determined baseline can be determined as malicious.
Existing cyber security solutions for attack detection typically analyze incoming data purely from a quantitative point of view using baselines. As such, the baselines serve as the principal references for dynamic characteristics of the traffic. The quality of a baseline reference influences the accuracy of detection of abnormal behavior. The quality of a baseline is typically determined by the steadiness, smoothness, noise, and so on. On the other hand, a baseline should adequately represent the actual traffic trends. Thus, there is a certain tradeoff in intention to form steady and smooth baseline with minimal ripples still following average traffic temporal changes.
A baseline attack detection typically includes a set of threshold levels. Such levels are set based on statistics collected for network traffic, technical restrictions of networks and expected traffic characteristics. The collected statistics data is analyzed to determine the values of the baseline's levels. The statistics are continuously collected and analyzed, during peacetime, to provide adaptive baselines. Some threshold levels are set to default configurable values.
The analysis of the statistics collected is performed using digital filters. Examples for such filters include a moving average filter, an exponentially fading filter (a two taps infinite impulse response, also known as an IIR filter). The filters are often manually configured according to a user's experience. For example, an IIR filter can provide continuous averaging based on statistical weighting on collected statistics related to baseline parameters. The weights ensure that the influence of “old” collected samples decreases as they become more remote in time. In this example, the weights and a fading coefficient (a) of the IIR filter are configured by the user.
To allow accurate detection, a baseline should be adaptive to changes in the incoming traffic. The manual configuration may negatively affect the ability to determine an accurate and adaptive baseline. Further, due to the random nature of incoming data, baselines also demonstrate randomness with a probability distribution depending on both the input data and the features of the applied filter. Thus, manual configuration may reduce the quality of the baselines, leading to less accurate detection.
It would therefore be advantageous to provide a solution that would overcome the deficiencies of the prior art.